Opt in, opt out, shake it all about

Kate Murray

Opt in, opt out, shake it all about?

This blog has been written by Hempsons - Leading Health and Social Care Lawyers

Charities have had something of a bumpy ride lately… and the bad news is that it’s not over yet. On top of increasing scrutiny of fundraising carried out by charities, data protection law and the Information Commissioner has now come to the fore with some big-name charities fined for data protection breaches. To top everything off, the new General Data Protection Regulations (GDPR) will be law by the end of May 2018 and this will have an impact on charities and social enterprises alike.

Although the data protection and charities has mainly hit the headlines in the context of fundraising and use of donors’ details, it is important to understand that data protection law and the new GDPR affects all personal data held by charities even those who do little or no fundraising.

It is also important to understand that this isn’t just an issue for charities – whilst non-charity social enterprises are unlikely to have the same issues on fundraising, the new GDPR will affect social enterprises too.

Such data might include members’ details and information about staff and volunteers as well as that about donors. With the GDPR introducing even bigger penalties than have been seen to date, it is important for all charities and social enterprises to get their heads round what is on the horizon and to plan accordingly.

In this piece, we answer a number of key questions and help you plan for the future.

1. How will our lives change with GDPR?

You may need to appoint a Data Protection Officer (DPO). If your core activities involve regular or systematic monitoring on a large scale, or processing special categories of data e.g. medical information. Their role is to inform, advise and monitor compliance. More guidance is awaited from the ICO on requirements

You will have to be in a position to demonstrate compliance with Accountability Principles. This means you will need to keep detailed records that may need to be presented to the regulator on request; building in evidence of your data protection compliance throughout your processes and implementing appropriate technical / organisations measures to ensure and demonstrate compliance – i.e. policies and procedures

2. Opt in or opt out: what’s the position?

Opt in is now the only way forward. Consent must be freely given. Silence, pre-ticked boxes on forms or inactivity is not acceptable. An individual must give a statement of clear affirmative action

3. What about personal data that we already hold, such as members’ or donors’ information?

You need to review what information you hold

You need to secure consent from members – either at the time of joining or on renewal

Anyone whose data you hold needs to know why you hold their data and what you’re going to use it for

4. Do people have to consent to everything we do with their data?

Yes.

Individuals rights will increase under the GDPR

Data must only be used for the purposes for which the individual has given consent

Individuals must have the ability to easily ask you to delete their data

5. What could happen if we get it wrong?

You could be inspected by the ICO

You could be fined. Maximum fines of €20m or 4% of turnover

You could suffer significant reputational damage

As can be seen from the above, data protection is a complicated business and the cost of getting it wrong, both in monetary penalties from the Information Commissioner and perhaps more importantly, reputational damage, could be high.

It can really pay dividends to check out key documents like consent forms, and fundraising materials if applicable, to ensure compatibility with your stated privacy policy, and take care that those actually at the coalface of fundraising (both staff and volunteers) are properly trained.

If you get these things in order, and keep them that way, then (for fundraising charities) the combination of new fundraising law and practice and the interface with the GDPR and (for all charities and social enterprises) the GDPR won’t end up being as bad as it may seem.

Join us on the last Friday of the month for a day of co-working and an evening of drinks with our like minded community of social entrepreneurs. Whether you are interested in becoming a member, or just want to come in for the day, Thank God It's Social (or #TGIS for short) is a great opportunity to see the Impact Hub King's Cross community in action.

The 2017 State of Social Enterprise Report, supported by Santander, is the largest, most representative survey of social enterprises in the UK. It shows a commercially resilient sector outperforming mainstream SMEs when it comes to turnover growth, innovation, business optimism, start-up rates, diversity in leadership and more. It points towards the Future of Business.

Most read

WE'RE THE NATIONAL MEMBERSHIP BODY FOR SOCIAL ENTERPRISE
Our members aren't just social enterprises. They also include private businesses, charities and public sector organisations who support our vision of a world where social enterprise is the usual way of doing business.

Social enterprises are businesses which a set up to change the world. Like traditional businesses they aim to make a profit but it’s what they do with their profits that sets them apart – reinvesting or donating it to create positive social change. Social enterprises exist in nearly every sector from consumer goods to healthcare, community energy to creative agencies, restaurants to facilities management. Well known examples include The Big Issue, Divine Chocolate and the Eden Project.